mailing list archives
Re: Better, more FLAME-like, penetration testing
From: Daniel Clemens <daniel.clemens () packetninjas net>
Date: Fri, 27 Sep 2013 09:34:00 -0500
On Sep 26, 2013, at 2:41 PM, Dave Aitel wrote:
You use your exploit framework of choice to phish a few people with a PDF exploit. Your exploit is written by a
professional team and is highly reliable, and you know it triggered because it downloaded your trojan from your
watering-hole website, but you never got a callback. This is one of those features of modern well-run networks. It's
sometimes easy to get INTO the network, but hard to get OUT of the network. INNUENDO is an injectable DLL, so not
easy to catch even by modern AV/HIPS.
By design INNUENDO is highly configurable at build-time, and hot-patchable at runtime using blocks of code that are
strongly signed and encrypted. One of the core features is that there are channels into and out of the core message
pumps, and these are themselves hot-swappable. So for PDF exploits, one of the channels you'll use is a PDF sniffer
that sits in the PDF reader and looks at all new PDF's for signed messages from the C&C. It can then use these to
update itself with, say, a bi-directional ICMP channel, or a Twitter/IMGUR channel (slightly higher bandwidth). Or a
local exploit, of course.
One of the main things we're moving into here is a complete break from the concept of tunneling connections into a
network. Messages move throughout the network and get routed as they want to. INNUENDO handles interruptions in
connectivity in a completely reliable way - if you switch to DNS tunneling halfway through a big file transfer
because they've blocked your HTTPS callback, then so be it.
In any case, if you want to be in on the early testing, or want to budget for it in the new FY, let me know!
Awesome, sounds like http://www.youtube.com/watch?v=F3hi5nsy1lE , just not as great on payload protection.
Daniel Uriah Clemens
O +1 202 747 0043 Ext. 7001
M +1 205 567 6850
F +1 205 449 4731
Packet Ninjas LLC
265 Riverchase Pkwy E. Suite 103
Hoover, AL 35244
"Moments of Sorrow are moments of sobriety"
Dailydave mailing list
Dailydave () lists immunityinc com